CVE-2021-26919

{"id": "CVE-2021-26919", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2021-03-30T08:15:11.340", "references": [{"url": "https://lists.apache.org/thread.html/r443e2916c612fbd119839c0fc0729327d6031913a75081adac5b43ad%40%3Cdev.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r470f8c92eb5df45f41b3ae609b6315b6c5ff51b3ceb2f09f00ca620f%40%3Cdev.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r6bc68264170046448f823d12c17fd1fd875251d97d60869f58709872%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/r7a531ec123570cb7875ff991cf115f99e9ef99a48b3cf3fa4f9d9864%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/ra85fa7d31f9bec1148ffd2e4030934927caa8bff89bca9f61f75e697%40%3Cdev.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E", "tags": ["Mailing List", "Vendor Advisory"], "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/re0910cf4c784897774427fecd95912fb565a6bd06d924a55e70bbbfc%40%3Ccommits.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/re4c5deb0aae4bace69844d15c9fd1699e907ebfee93bc3926474d110%40%3Cdev.druid.apache.org%3E", "source": "security@apache.org"}, {"url": "https://lists.apache.org/thread.html/rf3ea2a4018e87e6c45d36cf8479af7727dcc276edabd2f7cf59e0c5f%40%3Cdev.druid.apache.org%3E", "source": "security@apache.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Apache Druid allows users to read data from other database systems using JDBC. This functionality is to allow trusted users with the proper permissions to set up lookups or submit ingestion tasks. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Druid server processes. This issue was addressed in Apache Druid 0.20.2"}, {"lang": "es", "value": "Apache Druid, permite a usuarios leer datos de otros sistemas de bases de datos usando JDBC. Esta funcionalidad permite a usuarios confiables con los permisos apropiados configurar b\u00fasquedas o enviar tareas de ingesti\u00f3n. El controlador MySQL JDBC admite determinadas propiedades que, si no se mitigan, pueden permitir a un atacante ejecutar c\u00f3digo arbitrario desde un servidor MySQL malicioso controlado por un hacker dentro de los procesos del servidor Druid. Este problema se solucion\u00f3 en Apache Druid versi\u00f3n 0.20.2"}], "lastModified": "2023-11-07T03:31:49.750", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:apache:druid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7FDA9ED4-9440-490F-B4E5-141D4F23C03F", "versionEndExcluding": "0.20.2"}], "operator": "OR"}]}], "sourceIdentifier": "security@apache.org"}